The Senate Judiciary Committee heard testimony today from Target’s chief financial officer about the massive data breach that hit the company during the holiday shopping season last year.

Target CFO John Mulligan mainly confirmed news we’ve already heard about the breach, including the scope, method, and timeline of the hack. He said he was unable to divulge detailed information because of the continuing forensic and criminal investigation into the attack.

Every member of the Judiciary Committee who spoke agreed: data breaches aren’t going away any time soon. Stolen credit card numbers are a lucrative business for the criminals who can sell and use them. The FBI and Department of Homeland Security have warned of more major hacks on the near horizon.

So other than abandoning the 21st century and going exclusively back to cash, what is a nation full of consumers to do?

If there is a silver lining to the massive cloud of the recent data breaches, perhaps it is that US lawmakers and retailers are discussing making an overdue nationwide card security upgrade a reality at long last.

Mulligan yesterday published an opinion piece for The Hill calling for “smart” chip card adoption in the US, a point that he then reiterated extensively in his testimony today.

Where standard credit and debit cards keep all of their information encoded solely in the magnetic strip along the back, smartcards also have tiny chips embedded in them that encrypt the card’s information. The chips cut back on card fraud because their existence makes cards significantly harder to clone: even if you get all of the information from a card’s magnetic strip, as through a skimmer, without the chip actually being present the card data is useless in a physical transaction.

Technically called EMV cards, chip-enabled smartcards have been in use in much of the rest of the developed world for years. The UK converted over to the chip-and-PIN system nearly a decade ago, where all credit cards are chip-enabled and transactions also require the purchaser to enter a PIN to continue.

“The rest of the world does it” is clearly never enough reason for the United States to do anything. If it were, we’d measure our temperatures in Celsius and our weights in kilograms. Still, vague motions toward bringing the US to chip-enabled cards have been floating around for ages.

American banks have tested the system for international travelers since 2011, and back in 2003, Target tried to bring chip technology to their own Target-branded REDcard. The retailer ended the experiment three years later due to high costs made not worthwhile because chip-reading technology was not being adopted at any other large retailer.

However, it looks like this time, chip-and-signature or chip-and-PIN cards might finally be making actual inroads in the United States. During the hearing, several senators called attention to the need for higher security in credit cards. Representatives from Neiman Marcus, Symantec, and Consumers Union also testified at the hearing, and all agreed that the increased security would help businesses and consumers alike.

Visa and MasterCard have planned milestones for EMV adoption in the United States in 2015 and 2017. Both companies have a series of liability shifts planned. The liability shifts push compliance by shifting the burden for the costs of fraudulent card use. After a liability shift at point-of-sale terminals, if your card info gets swiped from a non-EMV compliant cash register, the retailer will have to bear the loss–not the card issuer. That’s a strong incentive for retailers to upgrade their terminals.

Why has it taken so long to get the ball rolling on the move? For the same reason most systemic changes take so much time: they’re expensive to do, and they require a huge number of participants across industries–retailers, card issuers, the financial sector, information security–to work collaboratively, on the same timetable with the same goals.

Smart cards wouldn’t let retailers or consumers universally off the hook for constant vigilance; fraud can and does still happen. Point of sale terminals for chip-and-PIN cards in the UK have been tampered with, and large-scale fraud has happened. Additionally, the EMV system doesn’t help prevent fraudulent use of credit card data in online transactions; it only helps with physically stolen or cloned cards.

Still, as Mulligan noted, although fraud still happens, chip-enabled cards can make the rates drop significantly:

In the United Kingdom, where smart card technology is widely used, financial losses associated with lost or stolen cards are at their lowest levels since 1999 and have fallen by 67 percent since 2004, according to industry estimates. In Canada, where Target and others have adopted smart cards, losses from card skimming were reduced by 72 percent from 2008 to 2012, according to industry estimates.

During the hearing, Senator Al Franken (D-MN) noted that although the United States has roughly one quarter of all the world’s credit card transactions, we have half of the global incidences of credit card fraud.

Such a mismatch speaks to a definite need for more secure systems, and soon. Franken and other senators asked several pointed questions about October, 2015 as a timeframe for upgrading, wondering if the process could perhaps be expedited in any way.

For the millions of customers who have had their information compromised in 2013, and the millions more who probably still will in 2014, a 2015 upgrade can’t come soon enough.

Comments

Edit Your Comment

I love it… so it was Target that tried to bring this kind of technology into the mainstream back in 2003, but since none of the other retailers wanted to play ball, they abandoned it for traditional credit card security.

It would be about bloody time that the united states joins the rest of the world as far as chip-and-pin cards go. I have lived in the USA for a number of years (I am from England) and was appalled that I could not get a more secure card from any bank. The fact of the matter is that retailers say that it would cost too much to upgrade their POS technology, banks want to milk the current technology as much as they can, and do not want to spend the extra it would cost to implement chip and pin cards in their systems. Chip and pin is not perfect, but it is a hell-of-a-lot more secure than the plain magnetic swipe cards that are over here today. Well, that is one thing I have learned about US companies: They dislike innovation when it means costing them money. Look at Japan; they are decades ahead of the US in terms of technology (and unique taste experiences, for that matter).